core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory f

core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory for FF-A.

A new internal struct mobj_protmem is add to handle dynamic protected
memory without FF-A.

Lending non-secure memory to OP-TEE to use it as protected memory means
that it should to become inaccessible by the normal world as part of the
process. This part is currently not supported, since it must be done in
a platform specific way for platforms that support that. QEMU don't
support that.

Adding two platform specific functions, plat_get_protmem_config() and
plat_set_protmem_range() for dynamic protected memory. The functions has
__weak implementation to allow easier testing. However,
plat_set_protmem_range() requires CFG_INSECURE=y since it doesn't change
memory protection.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: SMC ABI to return protected memory configuration

Extend the SMC ABI to return the protect memory configuration.

A capability bit, OPTEE_SMC_SEC_CAP_PROTMEM, is added to announce that
the

core: arm: SMC ABI to return protected memory configuration

Extend the SMC ABI to return the protect memory configuration.

A capability bit, OPTEE_SMC_SEC_CAP_PROTMEM, is added to announce that
the new SMC fast call OPTEE_SMC_GET_PROTMEM_CONFIG is available.
OPTEE_SMC_GET_PROTMEM_CONFIG returns the physical memory range of
reserved protected memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: pass guest ID to SMC_ENABLE_ASYNC_NOTIF

notif_deliver_atomic_event() expects guest_id which
is used to retrieve struct guest_partition* from
virt_get_guest(). The guest_id passed is stati

core: arm: pass guest ID to SMC_ENABLE_ASYNC_NOTIF

notif_deliver_atomic_event() expects guest_id which
is used to retrieve struct guest_partition* from
virt_get_guest(). The guest_id passed is static (0),
which causes trouble when OPTEE_SMC_ENABLE_ASYNC_NOTIF
comes from a guest. When this happens, virt_get_guest()
returns NULL which fails the assertion in get_notif_data()
which exclusively checks for CONFIG_NS_VIRTUALIZATION.

Signed-off-by: Yuvraj Sakshith <ysakshith@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add CFG_RPMB_ANNOUNCE_PROBE_CAP

Add CFG_RPMB_ANNOUNCE_PROBE_CAP to control whether RPMB probe capability
should be announced to the kernel. For the kernel driver to enable
in-kernel RPMB routi

core: add CFG_RPMB_ANNOUNCE_PROBE_CAP

Add CFG_RPMB_ANNOUNCE_PROBE_CAP to control whether RPMB probe capability
should be announced to the kernel. For the kernel driver to enable
in-kernel RPMB routing it must know in advance that OP-TEE supports it.
By masking the capability the kernel will route all RPMB commands to
tee-supplicant.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTE

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTEE_RPC_CMD_RPMB_FRAMES.

OPTEE_RPC_CMD_RPMB_PROBE_RESET resets probing to a well known state and
returns the shared memory type needed when allocating shared memory for
communication with later RPMB functions.

OPTEE_RPC_CMD_RPMB_PROBE_NEXT selects the next RPMB device and returns
its device information. Later calls to OPTEE_RPC_CMD_RPMB will use this
selected device.

OPTEE_RPC_CMD_RPMB_FRAMES sends the raw RPMB frames to normal world for
further routing to the RPMB device.

tee_rpmb_reinit() is added to allow re-initializing the RPMB FS if a
boot stage has used RPMB.

Backwards compatibility is maintained by falling back to the old type of
initialization if OPTEE_RPC_CMD_RPMB_PROBE_RESET returns
TEE_ERROR_NOT_SUPPORTED.

Whether RPMB devices are probed by the kernel or tee-supplicant is
decided by the kernel driver where the shared memory type returned by
OPTEE_RPC_CMD_RPMB_PROBE_RESET plays a vital role.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: make generic notifications virtualization-aware

Makes the generic notification handling aware of virtualization. Atomic
events are delivered with a guest_id parameter and asynchronous
notifica

core: make generic notifications virtualization-aware

Makes the generic notification handling aware of virtualization. Atomic
events are delivered with a guest_id parameter and asynchronous
notifications are started per guest_id.

struct notif_data is added as guest specific data to be able to track if
notifications are started for a guest.

While this patch compiles it doesn't work as intended without patches
handling the ABI specific side of things.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: fix dead code when ARM32 is not defined

Remove dead code warning when ARM32=n.
When ARM32=n, ret is always equal to TEE_ERROR_NOT_SUPPORTED. It makes
the following if() else if () useless

core: arm: fix dead code when ARM32 is not defined

Remove dead code warning when ARM32=n.
When ARM32=n, ret is always equal to TEE_ERROR_NOT_SUPPORTED. It makes
the following if() else if () useless.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander

core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add CFG_WDT_SM_HANDLER_ID in TOS fast call list

Add CFG_WDT_SM_HANDLER_ID as a TOS fast call entry to manage the
ARM watchdog service in 64 bit mode. Add also the associated ABI
description.
D

core: add CFG_WDT_SM_HANDLER_ID in TOS fast call list

Add CFG_WDT_SM_HANDLER_ID as a TOS fast call entry to manage the
ARM watchdog service in 64 bit mode. Add also the associated ABI
description.
Define the CFG_WDT_SM_HANDLER_ID with a default value.

Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

virt: rename CFG_VIRTUALIZATION to CFG_NS_VIRTUALIZATION

With the advent of virtualization support at S-EL2 in the Armv8.4-A
architecture, CFG_VIRTUALIZATION has become ambiguous. Let's rename
it to

virt: rename CFG_VIRTUALIZATION to CFG_NS_VIRTUALIZATION

With the advent of virtualization support at S-EL2 in the Armv8.4-A
architecture, CFG_VIRTUALIZATION has become ambiguous. Let's rename
it to CFG_NS_VIRTUALIZATION to indicate more clearly that it is about
supporting virtualization on the non-secure side.

This commit is the result of the following command:

$ for f in $(git grep -l -w CFG_VIRTUALIZATION); do \
sed -i -e 's/CFG_VIRTUALIZATION/CFG_NS_VIRTUALIZATION/g' $f; \
done

...plus the compatibility line in mk/config.mk:

CFG_NS_VIRTUALIZATION ?= $(CFG_VIRTUALIZATION)

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

show more ...

core: log capabilities with INFO level

Use IMSG() to log the capabilities that depend on configuration, which
are: reserved and dynamic shared memory, virtualization and asynchronous
notifications.

core: log capabilities with INFO level

Use IMSG() to log the capabilities that depend on configuration, which
are: reserved and dynamic shared memory, virtualization and asynchronous
notifications.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add OPTEE_SMC_CALL_WITH_RPC_ARG

Adds OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG where
the struct optee_msg_arg to be used for RPC is appended in the memory
following the norm

core: add OPTEE_SMC_CALL_WITH_RPC_ARG

Adds OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG where
the struct optee_msg_arg to be used for RPC is appended in the memory
following the normal argument struct optee_msg_arg.
OPTEE_SMC_CALL_WITH_REGD_ARG only works with registered shared memory, a
cookie and an offset is used instead a physical address.

The presence OPTEE_SMC_CALL_WITH_RPC_ARG and
OPTEE_SMC_CALL_WITH_REGD_ARG is indicated by the new
OPTEE_SMC_SEC_CAP_RPC_ARG bit returned by
OPTEE_SMC_EXCHANGE_CAPABILITIES. OPTEE_SMC_EXCHANGE_CAPABILITIES also
reports the number of arguments that the RPC argument struct must have
room for.

OPTEE_SMC_CALL_WITH_RPC_ARG, OPTEE_SMC_CALL_WITH_ARG and
OPTEE_SMC_CALL_WITH_REGD_ARG can be used interleaved.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add asynchronous notifications

Adds support for asynchronous notifications from secure world to normal
world. This allows a design with a top half and bottom half type of
driver where the top

core: add asynchronous notifications

Adds support for asynchronous notifications from secure world to normal
world. This allows a design with a top half and bottom half type of
driver where the top half runs in secure interrupt context and a
notifications tells normal world to schedule a yielding call to do the
bottom half processing.

The protocol is defined in optee_msg.h optee_rpc_cmd.h and optee_smc.h.

A notification consists of a 32-bit value which normal world can
retrieve using a fastcall into secure world. OP-TEE is currently only
supporting the value 0-63 where 0 has a special meaning. When 0 is sent
it means that normal world is supposed to make a yielding call
OPTEE_MSG_CMD_DO_BOTTOM_HALF.

The notification framework in OP-TEE defines an interface where drivers
can register a callback which is called on each yielding bottom half
call.

Notification capability is negotiated with the normal world while it
initializes its driver. If both sides supports these notifications then
they are enabled.

CFG_CORE_ASYNC_NOTIF_GIC_INTID is added to define the hardware interrupt
used to notify normal world. This is added to the DTB in case OP-TEE can
is configured with CFG_DT=y. Other cases requires the normal world DTB
to be kept in sync with this.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: virtualization.h: add dummy static inline functions

Adds dummy static inline functions to replace the normal virt_*()
functions in virtualization.h when CFG_VIRTUALIZATION is not configured.

core: virtualization.h: add dummy static inline functions

Adds dummy static inline functions to replace the normal virt_*()
functions in virtualization.h when CFG_VIRTUALIZATION is not configured.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: virt: use TEE_Result return type for virt_*() functions

Uses TEE_Result as return type for all virt_*() functions returning
anything but void in <kernel/virtualization.h>

Reviewed-by: Etienne

core: virt: use TEE_Result return type for virt_*() functions

Uses TEE_Result as return type for all virt_*() functions returning
anything but void in <kernel/virtualization.h>

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove generic_ from generic_boot

Now that the CFG_GENERIC_BOOT configuration flag has been removed also
remove "generic_" prefix from and in the related files.

Acked-by: Etienne Carriere <et

core: remove generic_ from generic_boot

Now that the CFG_GENERIC_BOOT configuration flag has been removed also
remove "generic_" prefix from and in the related files.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: TEE capability for null sized memrefs support

Introduce a new capability OPTEE_SMC_SEC_CAP_MEMREF_NULL to reflect
support for null shared memory references that is buffer references
with null

core: TEE capability for null sized memrefs support

Introduce a new capability OPTEE_SMC_SEC_CAP_MEMREF_NULL to reflect
support for null shared memory references that is buffer references
with null size and null address reference.

Signed-off-by: Michael Whitfield <michael.whitfield@nxp.com>
Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU)

show more ...

core: entry_fast.c: fix warning when CFG_CORE_DYN_SHM=n

When CFG_CORE_DYN_SHM=n and CFG_TEE_CORE_LOG_LEVEL<3 we have:

$ make -s CFG_CORE_DYN_SHM=n CFG_TEE_CORE_LOG_LEVEL=2
core/arch/arm/tee/entry

core: entry_fast.c: fix warning when CFG_CORE_DYN_SHM=n

When CFG_CORE_DYN_SHM=n and CFG_TEE_CORE_LOG_LEVEL<3 we have:

$ make -s CFG_CORE_DYN_SHM=n CFG_TEE_CORE_LOG_LEVEL=2
core/arch/arm/tee/entry_fast.c: In function ‘tee_entry_exchange_capabilities’:
core/arch/arm/tee/entry_fast.c:65:7: warning: unused variable ‘dyn_shm_en’ [-Wunused-variable]
65 | bool dyn_shm_en = false;
| ^~~~~~~~~~

Add __maybe_unused to get rid of the warning.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: replace thread_fast_smc_handler_ptr with weak function

Removes registration of platform specific fast SMC entry function in
thread_fast_smc_handler_ptr. Instead a __weak overridable
tee_entry_

core: replace thread_fast_smc_handler_ptr with weak function

Removes registration of platform specific fast SMC entry function in
thread_fast_smc_handler_ptr. Instead a __weak overridable
tee_entry_fast() is provided. Platforms that need a special
tee_entry_fast() (currently on plat-zynq7k) provides their own
tee_entry_fast() instead which at the end should call __tee_entry_fast()
which does the generic fast call handling.

With this also fast_smc is removed from struct thread_handlers and
consequently all platforms are updated to stop using that field.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce OPTEE_SMC_SEC_CAP_VIRTUALIZATION

We need some way to tell normal world if OP-TEE does support
virtualization. Prior to this patch NW had to probe for virtualization by
calling OPTEE_

core: introduce OPTEE_SMC_SEC_CAP_VIRTUALIZATION

We need some way to tell normal world if OP-TEE does support
virtualization. Prior to this patch NW had to probe for virtualization by
calling OPTEE_SMC_VM_DESTROYED which is not reliable.

New capability flag OPTEE_SMC_SEC_CAP_VIRTUALIZATION solves this issue.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tee: entry_fast: reduce verbosity of dynamic shared memory message

Outside of the initial boot or error cases OP-TEE is quiet, this
is a notable exception that dirties up the boot log and has caused

tee: entry_fast: reduce verbosity of dynamic shared memory message

Outside of the initial boot or error cases OP-TEE is quiet, this
is a notable exception that dirties up the boot log and has caused
confusion during kernel boot by users. It is only needed for
debug purposes.

Reduce this message to only debug verbosity.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove CFG_DYN_SHM_CAP

Removes the now obsolete CFG_DYN_SHM_CAP. CFG_CORE_DYN_SHM should be
used instead to enable/disable support for dynamic shared memory.

Reviewed-by: Etienne Carriere <et

core: remove CFG_DYN_SHM_CAP

Removes the now obsolete CFG_DYN_SHM_CAP. CFG_CORE_DYN_SHM should be
used instead to enable/disable support for dynamic shared memory.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce CFG_CORE_RESERVED_SHM

Introduces CFG_CORE_RESERVED_SHM which if set to y enables reserved shared
memory, else disables support for reserved shared memory.

Reviewed-by: Etienne Carri

core: introduce CFG_CORE_RESERVED_SHM

Introduces CFG_CORE_RESERVED_SHM which if set to y enables reserved shared
memory, else disables support for reserved shared memory.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce CFG_CORE_DYN_SHM

Introduces CFG_CORE_DYN_SHM which if set to y enables dynamic shared
memory, else disables support for dynamic shared memory. In contrast
with CFG_DYN_SHM_CAP it act

core: introduce CFG_CORE_DYN_SHM

Introduces CFG_CORE_DYN_SHM which if set to y enables dynamic shared
memory, else disables support for dynamic shared memory. In contrast
with CFG_DYN_SHM_CAP it actually removes the support instead of just
omit reporting it.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Introduce OPTEE_SMC_GET_THREAD_COUNT

This call should be used to query OP-TEE about number of threads
(basically, CFG_NUM_THREADS build option).

It is introduced after discussion at [1] about

core: Introduce OPTEE_SMC_GET_THREAD_COUNT

This call should be used to query OP-TEE about number of threads
(basically, CFG_NUM_THREADS build option).

It is introduced after discussion at [1] about possibility to read
number of supported threads. It is needed for XEN OP-TEE mediator to
mitigate possible DoS from virtual guest. If XEN knows number of
OP-TEE threads, it can limit number of standard calls from the guest
on own side.

Also, it can be used by optee client driver, to ratelimit number of calls
from its side.

Link: [1] https://lists.xenproject.org/archives/html/xen-devel/2019-01/msg01460.html

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...